OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Timothy J.Miller (cerebus_at_sackheads.org)
Date: Fri Aug 16 2002 - 11:55:40 CDT

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA1

    On Friday, August 16, 2002, at 10:24 AM, Matthew Murphy wrote:

    > We must direct our anger towards these losers at these losers.
    > Anything
    > else is an attack against our own values. While they claim to be
    > hackers,
    > their method of attack shows them to be nothing more than spoiled
    > children.
    > You can either fight them or give up, there's not an inch of middle
    > ground.
    > Are you up for it?

    In some ways, I understand their ire. There are, within the "security
    industry" (whatever that means) people who-- intentionally or
    unintentionally-- sell their customers short. The people create a false
    aura of security wherever they pass, and are unwilling or incapable of
    expanding their capabilities.

    Scanning a network doesn't make it secure, but we've all run into people
    who think it does-- including people who should know better.

    I've long advocated (and tried to design) systems (not just hardware,
    but software and business practices) that *fail well*. Systems designed
    not to be unbreakable-- a fool's pursuit, to be sure-- but to contain
    the inevitable breach. Systems that fail in known modes, so that the
    consequences of an intrusion are known ahead of time, and steps can be
    taken based on that knowledge. Systems that don't eliminate risk, but
    manage risk.

    Unfortunately, most customers aren't interested because systems like
    this are expensive. They're hard to design, hard to build, hard to
    maintain, and require profound knowledge of the components and the
    activities that use them. It's a hard sell, especially when those less
    educated self-labeled experts (and vendors) are pushing silver bullets
    in the form of yet another certification, yet another scanner, yet
    another training course.

    I could be wrong, but I see the current upwelling of vitriol directed at
    these people. They are truly living off the labor of others, and
    providing little of use to anyone, including their customers. But
    they're not everyone.

    - -- Cerebus
    -----BEGIN PGP SIGNATURE-----
    Version: GnuPG v1.0.6 (Darwin)
    Comment: For info see http://www.gnupg.org

    iD8DBQE9XS6WFdr5Tz1ZWt4RAterAJ0U1ScYsrerPpgpEkskGPB5ke3DAgCfVILc
    IoFOjnYDglRW3xk8dkYxtzQ=
    =AoN7
    -----END PGP SIGNATURE-----

    _______________________________________________
    Full-Disclosure - We believe in it.
    Charter: http://lists.netsys.com/full-disclosure-charter.html